[BCLUG] Interesting email about domain expiring - SPF vs SPAM question

Rick Moen rick at linuxmafia.com
Fri Aug 19 20:46:47 EDT 2022


Quoting Ian Samuel (ian at mrzesty.net):

> but it needs to be stressed that SPF provides a suggestion to other
> mail servers that the /_SMTP _//_envelope sender_/ (not the From:
> header field) address can only originate from listed IPs. SPF does
> not prevent spoofing of a From: header, you need DKIM for that.

In context, I was honestly not clear what Our Good Host meant when he
said "message was sent through the email server for this domain".  Some
forgeries are limited to forging internal headers.  The more-competent 
ones originated by Yuri Rutman in his 1997 revenge-spam attacks against
Joe Doll of Joe's Cyberpost go beyond that and forge the SMTP envelope
sender.  (ISTR that it was a hired job done by a Perl coder.)

I was a net.admin.net-abuse.email (etc.) regular in the antispam
community, at the time, hence I was among the recipients of the
flamebait mails forged by said hire-gun Perl scripter to appear to come
from the entirely innocent Mr. Doll.

I note the coincidence(?) that Google, Inc. now no longer resolves
queries on Google Groups to the detailed Useniet postings documenting
and discussing the incident.  Hence, some of the links from
http://linuxmafia.com/kb/Mail/ are now broken.  

Perhaps not coincidentally, Mr. Rutman has had a history of threatening
litigation against people discussing his role.  (I used to host a copy
of local attorney Mark Welch's blog article "The Weekend IBM.NET Almost
Died" on my Web server, and redirected that link to Welch's site after
receiving threatening telephone calls, then after Welch's copy
mysteriously disappeared, repointed to Internet Archive's copy, then
after _that_ mysteriously disappeared, had no link for a while -- and
finally, relinked to Welch's site when he put it back online again." on
my Web server, and redirected that link to Welch's site after receiving
threatening telephone calls, then after Welch's copy mysteriously
disappeared, repointed to Internet Archive's copy, then after _that_
mysteriously disappeared, had no link for a while -- and finally,
relinked to Welch's site when he put it back online again.

It's equally possible that the Google Groups breakage is just more 
collateral damage from one of the firm's periodic revampings.  If I 
have time & energy, I'll see if I can find replacement links, as 
IMO the event was significant and should remain documented.



More information about the Discuss mailing list